Android users are now suffering severe threats from unwanted behaviors of various apps. The analysis of apps’ audit logs is one of the essential methods for the security analysts of various companies to unveil the underlying maliciousness within apps. We propose and implement AppAngio , a novel system that reveals contextual information in Android app behaviors by API-level audit logs. Our goal is to help security analysts understand how the target apps worked and facilitate the identification of the maliciousness within apps. The key module of AppAngio is identifying the path matched with the logs on the app’s control-flow graphs (CFGs). The challenge, however, is that the limited-quantity logs may incur high computational complexity in the log matching, where there are a large number of candidates caused by the coupling relation of successive logs. To address the challenge, we propose a divide and conquer strategy that precisely positions the nodes matched with log records on the corresponding CFGs and connects the nodes with as few backtracks as possible. Our experiments show that AppAngio reveals contextual information of behaviors in real-world apps. Moreover, the revealed results assist the analysts in identifying the maliciousness of app behaviors and complement existing analysis schemes. Meanwhile, AppAngio incurs negligible performance overhead on the real device in the experiments.

中文翻译：

---

AppAngio：通过API级审核日志显示Android App行为的上下文信息

现在，Android用户正遭受各种应用程序不良行为的严重威胁。对应用程序审核日志的分析是各种公司的安全分析人员揭露应用程序内潜在恶意的基本方法之一。我们提出并实施AppAngio ，这是一种新颖的系统，可通过API级审核日志揭示Android应用程序行为中的上下文信息。我们的目标是帮助安全分析人员了解目标应用程序的工作方式，并帮助识别应用程序中的恶意软件。AppAngio的关键模块是识别与应用程序的控制流图（CFG）上的日志匹配的路径。但是，挑战在于，数量有限的日志可能会在日志匹配中引起较高的计算复杂度，其中连续日志的耦合关系会导致大量候选对象。为了应对这一挑战，我们提出了一种分而治之的策略，该策略可以将与日志记录匹配的节点精确定位在相应的CFG上，并以尽可能少的回溯连接这些节点。我们的实验表明，AppAngio揭示了现实应用中行为的上下文信息。此外，揭示的结果有助于分析人员识别应用程序行为的恶意行为，并补充现有的分析方案。同时，在实验中，AppAngio在实际设备上产生的性能开销可忽略不计。